[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] problem with nwfilter and ip6tables



Hi,

I'm investigating using the nwfilter-functionality of libvirt to give my clients the possibility to block ports of their VPSes. The same mechanism allows me to restrict the outgoing traffic a VPS is generating. In the end, I want to restrict MAC, IPv4 and IPv6 traffic, while the client can also restrict traffic to UDP and TCP.

All goes well, until I want to restrict the UDP/TCP traffic to certain IPv6 addresses. Where iptables shows the IPv4-restriction I've put up, ip6tables doesn't show anything. In the logs, I only see some ip6tables -D, -X and -F commands failing, which is expected when libvirt tries to delete/flush rules that were never there.

I've built my nwfilter containing the following IPv6-rules, which I for instance reference once for all the TCP-ports which should be open.

<!-- Allow established traffic -->
<filter name='ipv6-allow-statefull' chain='ipv6'>
  <rule action='accept' direction='in' priority='500'>
    <all state='ESTABLISHED'/>
  </rule>
  <rule action='accept' direction='out' priority='500'>
    <all state='ESTABLISHED,RELATED'/>
  </rule>
</filter>

<!-- Allow TCP in $PORT -->
<filter name='ipv6-allow-create-state-by-port' chain='ipv6'>
  <rule action='accept' direction='in' priority='500'>
    <tcp state='NEW' dstportstart='$PORT'/>
  </rule>
  <rule action='accept' direction='in' priority='500'>
    <udp state='NEW' dstportstart='$PORT'/>
  </rule>
</filter>

<!-- Allow IPv6 traffic from $RANGE -->
<filter name='ipv6-allow-create-state-by-range' chain='ipv6'>
  <rule action='accept' direction='out' priority='500'>
    <ipv6 srcipaddr='$RANGE' srcipmask='64'/>
  </rule>
</filter>

<!-- Drop all other IPv6 traffic -->
<filter name='ipv6-drop-stateless' chain='ipv6'>
  <rule action='drop' direction='inout' priority='999'>
    <all/>
  </rule>
</filter>

I use a similar approach for my IPv4 firewall, and it works perfectly. When I use these IPv6 rules, all IPv6 traffic is apparently dropped, but it's hard to debug when the result of this config is abscent in ip6tables.

I'm using these version of software on debian 6.0 squeeze:
virsh # version
Compiled against library: libvir 0.9.2
Using library: libvir 0.9.2
Using API: QEMU 0.9.2
Running hypervisor: QEMU 0.15.0

Does anyone have any clues? Thanks in advance!

Regards,

Reinier Schoof

--

TransIP BV | https://www.transip.nl/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]